18

Is there any way to modify central repository's configuration to disallow any remote pushing to master branch (using git)? It would only be updated via branch merging by a release owner.

It is possible to do in child repositories but unfortunately it's not always fool-proof enough, easy to forget to do it on new machine - no way to protect from accidental pushes. Developers should be able to pull from any branch and push back to any branch, except for master, which we want to see as read-only. Is it possible with git? Or we are trying a wrong workflow.

Update tl;dr: thanks to Charles Bailey, the answer is checking out master and adding the following config: 

receive.denyCurrentBranch = true
kibitzer
  • 4,479
  • 1
  • 21
  • 20
  • 1
    I have provided an example script for a similar problem in [How to configure read-only branches in a central “development repository”?](http://stackoverflow.com/questions/14502164/how-to-configure-read-only-branches-in-a-central-development-repository) – Alberto Jan 24 '13 at 13:32

1 Answers1

12

You should take a look at the sample update hook called update-paranoid in the contrib directory of the git distribution. It allows you to set up per-branch ACLs restricting who is allowed to push to which branches. This way you can restrict updating master to just release owners.

I'm not quite sure what you mean by "only updated via branch merging". I'm assuming that your central repository is bare, in which case branches are usually only updated by a push. There's no conceptual difference in git between pushing a commit that is a merge and one that isn't so I'm not sure what your criteria for restricting the type of update for master is intended to be.

In the case that you are pushing to a non-bare central repository and master is always the checked out branch then you can simply set the config variable receive.denyCurrentBranch to true or refuse.

CB Bailey
  • 755,051
  • 104
  • 632
  • 656
  • It should be done locally (via merge), as opposed to remote `push` which we want to prohibit. And no, it's not bare - `master` is checked out and is a working copy so to speak. Thanks, I'll take a look at the update-paranoid, maybe restricting to one person will do. – kibitzer Jan 11 '10 at 23:12
  • OK, I'll bite. Why isn't your central repository bare and which branch is generally the checked out branch? – CB Bailey Jan 11 '10 at 23:17
  • `master` is the checked out branch; we could create a bare repository but I don't see a point since the idea was to prohibit direct pushing to master; hence this question. we could create a bare repository and pull from it if it would help at all in our quest for a read-only master :) – kibitzer Jan 11 '10 at 23:19
  • 1
    OK, in your specific case the easiest solution is to just set the config variable `receive.denyCurrenyBranch` to `true` or `refuse`. This will prevent anyone from updating the current branch, i.e. master, via a push. – CB Bailey Jan 11 '10 at 23:22
  • simple and works, just what is needed. thanks! (I figured there's a typo ;) ). – kibitzer Jan 11 '10 at 23:28